BRASP: Boolean Range Queries over Encrypted Spatial Data with Access and Search Pattern Privacy

Abstract: Searchable Encryption (SE) enables users to query outsourced encrypted data while preserving data confidentiality. However, most efficient schemes still leak the search pattern and access pattern, which may allow an honest-but-curious cloud server to infer query contents, user interests, or returned records from repeated searches and observed results. Existing pattern-hiding solutions mainly target keyword queries and do not naturally support Boolean range queries over encrypted spatial data. This paper presents BRASP, a searchable encryption scheme for Boolean range queries over encrypted spatial data. BRASP combines Hilbert-curve-based prefix encoding with encrypted prefix--ID and keyword--ID inverted indexes to support efficient spatial range filtering and conjunctive keyword matching. To hide the search pattern and access pattern under a dual-server setting, BRASP integrates index shuffling for encrypted keyword and prefix entries with ID-field redistribution across two non-colluding cloud servers. BRASP also supports dynamic updates and achieves forward security. We formalize the security of BRASP through confidentiality, shuffle indistinguishability, query unforgeability, and forward-security analyses, and we evaluate its performance experimentally on a real-world dataset. The results show that BRASP effectively protects query privacy while incurring relatively low computation and communication overhead. To facilitate reproducibility and further research, the source code of BRASP is publicly available at https://github.com/Egbert-Lannister/BRASP

• The paper introduces BRASP, a dual-server scheme that supports Boolean range queries while protecting both access and search patterns in encrypted spatial data.
• It leverages Hilbert-curve-based prefix encoding and dual encrypted inverted indexes to efficiently filter spatial and textual data.
• Experimental results show significant computation savings and scalable dynamic updates, outperforming existing baselines on large datasets.

BRASP: Boolean Range Queries over Encrypted Spatial Data with Access and Search Pattern Privacy

Problem Statement and Motivation

The paper "BRASP: Boolean Range Queries over Encrypted Spatial Data with Access and Search Pattern Privacy" (2604.07797) examines the challenge of supporting Boolean range queries in outsourced spatial databases, especially under the constraints of access pattern and search pattern privacy. In Location-Based Services (LBS), spatial keyword queries retrieve records subject to both spatial and textual predicates, but processing such queries over encrypted data on untrusted public clouds is non-trivial due to significant privacy leakage risks. While searchable encryption (SE) mechanisms have been studied extensively, existing designs typically expose search and access patterns or only protect one, failing to meet the needs of multifaceted real-world spatial queries and practical security guarantees.

Technical Design and Methodology

BRASP (Boolean Range Queries with Access and Search Pattern Privacy) advances the state of the art by introducing an efficient dual-server searchable encryption scheme for spatial data. The scheme leverages Hilbert-curve-based prefix encoding, enabling dimensionality reduction and efficient representation of spatial locality.

Figure 1: Hilbert curves map multidimensional space to a one-dimensional order, supporting spatial locality.

To support rapid range filtering and conjunctive keyword matching, BRASP builds two encrypted inverted indexes: a prefix–ID index (for spatial predicates) and a keyword–ID index (for textual predicates).

Figure 2: Prefix–ID and keyword–ID inverted indexes enable efficient filtering along both spatial and textual dimensions.

The privacy of search and access patterns is ensured via a lightweight dual-server architecture, assuming two non-colluding honest-but-curious servers. BRASP incorporates index shuffling (re-randomization and permutation of index entries), tailored proxy pseudorandom functions (TPF) for encoding keywords and prefixes, and universal re-encryption (TUR) mechanisms for the ID fields. Each query triggers index shuffling and redistribution of ID fields, further mitigating pattern leakage.

Figure 3: Index shuffling at $CS_1$ ensures non-linkability of index entries across query rounds.

BRASP supports dynamic updates with forward security, ensuring that insertions cannot be correlated with preceding queries and vice versa. The update operations are efficiently realized by splitting encrypted bitmaps between the two servers; subsequent shuffles decouple historical and current states.

The prefix membership verification scheme optimizes spatial filtering via minimal prefix covers, enabling scalable query processing.

Figure 4: Prefix membership verification for spatial range queries, boosting spatial predicate efficiency.

Security Analysis

BRASP’s security is formalized and analyzed with respect to four goals:

• Confidentiality: No information beyond allowed leakage is exposed to any cloud server.
• Shuffle Indistinguishability: Servers cannot link pre- and post-shuffle index entries even under repeated queries.
• Query Unforgeability: Adversaries cannot produce valid search tokens for unseen queries without client key knowledge.
• Forward Security: Updates are unlinkable with prior queries, preventing information leakage about historical query matchings.

Security proofs leverage the hardness of distinguishing the outputs of TPF and TUR from random, and rely on the collision resistance of keyed pseudorandom functions and the unlinkability afforded by universal re-encryption.

Experimental Results

BRASP is benchmarked against competitive baselines ($\mathrm{VPBRQ_{SupL}}$, PPSKS) using the Yelp business dataset. The performance study is conducted over index building, token generation, search, and update phases, measuring both computation and communication overheads.

Token Generation

Figure 5: Token generation in BRASP outperforms baselines in computational and communication efficiency.

BRASP demonstrates consistently lower token-generation overhead, with lightweight pseudorandom encodings outperforming more expensive distributed point function approaches.

Search Operations

Figure 6: BRASP achieves lower search computation cost compared to baseline schemes across scaling spatial objects and keyword dimensions.

BRASP’s dual-server retrieval and shuffle incur slightly higher communication cost than single-server schemes, but computation overhead is substantially reduced, notably in scaling scenarios with large object counts or query keyword sets.

Dynamic Updates

Figure 7: Update overheads scale with database and update workload size in BRASP, reflecting efficiency of encrypted bitmap share refresh.

BRASP supports scalable update with moderate overhead growth as database size increases, an essential feature for practical spatial data outsourcing.

Numerical Results and Contradictory Claims

The paper evidences significant numerical improvements of BRASP over prior baselines in search and update operations, with computation savings up to an order of magnitude for large datasets. The authors assert that BRASP achieves access and search pattern privacy simultaneously, without relying on heavy homomorphic encryption or communication-intensive multi-server primitives, in contrast to the assumptions made in previous designs. The claim that dual pattern privacy and forward security can be achieved in a lightweight architectural setting directly contradicts the prevailing belief that this necessitates costly computation or elaborate server coordination.

Implications and Future Directions

The practical efficacy of BRASP for Boolean range queries over encrypted spatial data suggests applicability for privacy-preserving spatial database outsourcing in logistics, IoT, urban planning, and LBS domains. Theoretical advances provide a blueprint for scalable pattern-hiding SE in general multidimensional settings. Dual-server architectures represent a promising trade-off between privacy and overhead, though real-world deployment necessitates robust server non-collusion assumptions and operational SLAs.

From a research standpoint, BRASP opens pathways to:

• Optimizing index structures for further communication minimization.
• Extending the dual-server paradigm to decentralized or federated deployment models.
• Investigating efficient integration of spatial joins, ranking, and complex Boolean logic into the SE framework.
• Studying practical adversaries in more nuanced threat models, including partial collusion or side-channel attacks.

Speculatively, future AI systems interfacing with spatial data in encrypted form could exploit pattern-hiding protocols to preserve user and operator privacy while enabling rich query semantics and real-time analytics.

Conclusion

BRASP introduces a technically rigorous solution to Boolean range queries over encrypted spatial data, achieving simultaneous protection of search and access patterns with practical efficiency and forward security. Its deployment-ready security and performance analyses validate its suitability for contemporary LBS and spatial data outsourcing applications. The architectural and cryptographic innovations therein catalyze new research trajectories for privacy-preserving query processing in multidimensional encrypted contexts.